LilithBot, a multipurpose malware sample, was found by ThreatLabz. Further investigation indicated that malware was connected to the Eternity group (also known as EternityTeam or Eternity Project), a threat organization related to the Russian Jester Group.
LilithBot’s services were spread via a Telegram channel and a Tor URL for these numerous payloads. It contained a built-in miner, stealer, and clipper in addition to its main botnet activity.
How Does it Affect?
Registration of the LilithBot is the first step in the process. The malicious software first verifies a Mutex called “8928a2d3-173b-43cb-8837-0e2e88b6d3b1” before looking for a file in the Startup folder.
The filename is given the .exe extension and entered in the Startup path, successfully registering the bot.
It was also observed that the malware utilizes its own decrypting technique so that it cannot be manually decoded; it also uses fake Microsoft-signed certificates to avoid detection.
How Do They Distribute?
Eternity promotes LilithBot and other toolkits via their Tor page and a Telegram channel owned by “@EternityDeveloper,” both of which they keep updated. Threat actors also offer custom malware for sale and accept payments in various cryptocurrencies, including BitCoin, Ethereum, Monero (XMR), and Doge.
Ransomware is Eternity’s most expensive service; a video on how to create the ransomware payload is available on the Tor page.
The primary function varies in different releases of LilithBot malware. The latest variant lacks some commands that were included in earlier variants:
- Iterating through an arraylist to check for different DLLs (related to virtual software like Sandboxie and 360 Total Security)
- Ensuring there is a physical connection rather than a virtual machine by checking for Win32_PortConnector.
These tasks are probably still carried out by Eternity, albeit in more advanced ways, like using encrypted code.
TTPs and thorough technical analysis of malware is available here.